As the mechanisms to keep technology safer have gotten more sophisticated, so have the attackers who seek to benefit from and monetize our stolen files and data. One of the more recent strategies employed to steal data is extortionware. Extortionware is different from ransomware. With ransomeware, files are encrypted, and a ransom is demanded for decryption. With extortionware, attackers encrypt data and threaten to publicly leak it. This means we have to be diligent about following best practices for computing. To illustrate the progression of extortionware, we will follow our fictitious employee, Sam, as he deals with the fallout from his lack of adherence to his company’s cybersecurity policies.
One morning, Sam sat frozen at his desk, staring at his screen. A dark window showed this menacing message: “Your files have been encrypted. Pay $15,000 in cryptocurrency within 72 hours, or your data will be shared publicly then permanently destroyed.”
Sam’s stomach churned. This was extortionware and he was the victim! The clues fell quickly into place. That strange email last week from a “delivery partner,” which he had clicked on without thinking. The unapproved USB drive he had used the day before to transfer reports because it was “easier” than the secure cloud drive IT had set up. The reminder from the security training he had brushed off: Never bypass company policies; they exist for a reason. Now, the reasons were staring him in the face.
As reality sank in, Sam’s mind replayed the four phases of the attack like a grim case study. The initial compromise (1) was the careless click on the email from that “delivery partner” without double-checking the authenticity of the sender. The mistake of logging into his personal email from his work laptop, using the same weak password he’d used for years across multiple accounts.
His lack of attention allowed them to engage in reconnaissance (2) moving through the company network to map out his shared drives, probe for reused passwords, watch his keystrokes and discover that his company credentials matched his personal ones. His negligence had handed them both halves of his digital life.
That thought made his chest tighten. His carelessness allowed them to exfiltrate (3) his files and extract client invoices, financial spreadsheets, and contracts from the network. Every shortcut Sam had taken—saving files on his desktop, emailing sensitive attachments to his personal account “just for convenience”—had made their job easier.
He remembered thinking his computer was slower a couple of days ago, but he hadn’t reported it. That must have been their data haul in progress. Now here he was, confronting an extortion (4) notice. The message on his screen was proof: they didn’t just lock his files; they had stolen them. Now, unless the company pays, those files and messages could be dumped online.
Sam felt sick. His carelessness created a direct threat to the company’s reputation, to client trust, and to his colleagues’ hard work. He immediately disconnected his computer from the network, yanking the Ethernet cable and shutting off the Wi-Fi to prevent further spread of the attack. His hands trembled as he called IT, one of the hardest things he’d ever done. The head of IT security didn’t scold him. They didn’t need to. The disappointment and disdain in their silence spoke louder than words. His actions, or lack thereof, had opened the door to attackers who now potentially had access to sensitive company data.
By noon, Sam’s entire department had halted work while IT assessed the damage. Projects stalled. Clients called, confused about delays. Sam could feel the weight of everyone’s productivity and the company’s reputation hanging over his mistake. That afternoon, his manager pulled him aside and gave him a formal reprimand, rescinded his quarterly bonus, and required him to complete additional cybersecurity training. More punishing, though, was the knowledge that he had put the entire company at risk.
That night, Sam promised himself that things would change. He would:
- Verify the source before ever clicking a link or downloading an attachment.
- Use the secure systems the company had put in place, no matter how inconvenient they felt.
- Report suspicious activity immediately instead of brushing it aside.
- Treat cybersecurity not as an optional nuisance, but as part of his responsibility to his colleagues and his company.
Thanks to IT’s backups and swift response, the breach was resolved, but Sam’s memory of that day never faded. Every time he logged in, he thought of the blinking message that had locked him out of his work and nearly cost the company its future. Every time he resolved to be better, knowing the truth that security isn’t just IT’s job, it’s everyone’s.
Courtesy, Karen Clay